stuartl/linux-stable
1
0
Fork 0
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-13 11:07:46 +10:00
Code Issues Releases Wiki Activity
v6.16.6
linux-stable/io_uring
History
Jens Axboe 390a61d284 io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths 
[ Upstream commit 98b6fa62c8 ]

Since the buffers are mapped from userspace, it is prudent to use
READ_ONCE() to read the value into a local variable, and use that for
any other actions taken. Having a stable read of the buffer length
avoids worrying about it changing after checking, or being read multiple
times.

Similarly, the buffer may well change in between it being picked and
being committed. Ensure the looping for incremental ring buffer commit
stops if it hits a zero sized buffer, as no further progress can be made
at that point.

Fixes: ae98dbf43d ("io_uring/kbuf: add support for incremental buffer consumption")
Link: https://lore.kernel.org/io-uring/tencent_000C02641F6250C856D0C26228DE29A3D30A@qq.com/
Reported-by: Qingyue Zhang <chunzhennn@qq.com>
Reported-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-09-04 16:55:43 +02:00
..
advise.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
advise.h
alloc_cache.c
alloc_cache.h
cancel.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
cancel.h
cmd_net.c io_uring/cmd: move net cmd into a separate file 2025-04-28 11:51:31 -06:00
epoll.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
epoll.h
eventfd.c io_uring/eventfd: open code io_eventfd_grab() 2025-04-24 08:33:54 -06:00
eventfd.h io_uring/eventfd: dedup signalling helpers 2025-04-24 08:33:54 -06:00
fdinfo.c io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() 2025-06-10 11:20:04 -06:00
fdinfo.h
filetable.c
filetable.h
fs.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
fs.h
futex.c io_uring/futex: ensure io_futex_wait() cleans up properly on failure 2025-08-28 16:34:34 +02:00
futex.h
io_uring.c Revert "io_uring: gate REQ_F_ISREG on !S_ANON_INODE as well" 2025-07-08 11:09:01 -06:00
io_uring.h io_uring: remove duplicate io_uring_alloc_task_context() definition 2025-06-17 06:41:48 -06:00
io-wq.c io_uring/io-wq: add check free worker before create new worker 2025-09-04 16:55:31 +02:00
io-wq.h io_uring/wq: avoid indirect do_work/free_work calls 2025-04-21 05:06:58 -06:00
kbuf.c io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths 2025-09-04 16:55:43 +02:00
kbuf.h io_uring/kbuf: flag partial buffer mappings 2025-06-26 12:17:48 -06:00
Kconfig io_uring: make zcrx depend on CONFIG_IO_URING 2025-03-31 07:07:44 -06:00
Makefile io_uring/fdinfo: only compile if CONFIG_PROC_FS is set 2025-05-16 12:33:02 -06:00
memmap.c io_uring/memmap: cast nr_pages to size_t before shifting 2025-08-20 18:40:43 +02:00
memmap.h io_uring: update parameter name in io_pin_pages function declaration 2025-05-09 07:58:22 -06:00
msg_ring.c io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU 2025-07-08 11:08:31 -06:00
msg_ring.h
napi.c
napi.h
net.c io_uring/net: commit partial buffers on retry 2025-08-20 18:40:44 +02:00
net.h
nop.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
nop.h
notif.c io_uring: remove io_preinit_req() 2025-05-06 10:11:23 -06:00
notif.h
opdef.c io_uring: make fallocate be hashed work 2025-06-23 08:58:44 -06:00
opdef.h
openclose.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
openclose.h io_uring: add support for IORING_OP_PIPE 2025-04-21 05:06:58 -06:00
poll.c io_uring/poll: fix POLLERR handling 2025-07-16 10:28:28 -06:00
poll.h
refs.h io_uring: always do atomic put from iowq 2025-04-03 08:31:57 -06:00
register.c io_uring: consistently use rcu semantics with sqpoll thread 2025-06-12 08:17:09 -06:00
register.h
rsrc.c io_uring: export io_[un]account_mem 2025-08-20 18:40:43 +02:00
rsrc.h io_uring: export io_[un]account_mem 2025-08-20 18:40:43 +02:00
rw.c io_uring/rw: cast rw->flags assignment to rwf_t 2025-08-20 18:41:43 +02:00
rw.h io_uring/kbuf: pass bgid to io_buffer_select() 2025-04-21 05:06:58 -06:00
slist.h
splice.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
splice.h
sqpoll.c io_uring/sqpoll: don't put task_struct on tctx setup failure 2025-06-17 06:43:18 -06:00
sqpoll.h io_uring: consistently use rcu semantics with sqpoll thread 2025-06-12 08:17:09 -06:00
statx.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
statx.h
sync.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
sync.h
tctx.c io_uring/wq: avoid indirect do_work/free_work calls 2025-04-21 05:06:58 -06:00
tctx.h
timeout.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
timeout.h io_uring/timeout: don't export link t-out disarm helper 2025-05-06 10:11:23 -06:00
truncate.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
truncate.h
uring_cmd.c io_uring/cmd: warn on reg buf imports by ineligible cmds 2025-05-23 06:31:06 -06:00
uring_cmd.h io_uring/cmd: axe duplicate io_uring_cmd_import_fixed_vec() declaration 2025-05-20 14:36:41 -06:00
waitid.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
waitid.h
xattr.c io_uring: finish IOU_OK -> IOU_COMPLETE transition 2025-05-21 08:41:16 -06:00
xattr.h
zcrx.c io_uring/zcrx: don't leak pages on account failure 2025-08-20 18:41:44 +02:00
zcrx.h io_uring/zcrx: account area memory 2025-08-20 18:40:43 +02:00